Merge pull request rails#54724 from francktrouillez/bugfix/nonce-false-removes-nonce-option

Make `nonce: false` remove the nonce attribute for `javascript_tag`, `javascript_include_tag` and `stylesheet_link_tag`

Author: rafaelfranca

actionview/CHANGELOG.md

@@ -1,3 +1,7 @@
+*   Make `nonce: false` remove the nonce attribute from `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`.
+
+    *francktrouillez*
+
 *   Add `dom_target` helper to create `dom_id`-like strings from an unlimited
     number of objects.
 

actionview/lib/action_view/helpers/asset_tag_helper.rb

@@ -139,6 +139,8 @@ def javascript_include_tag(*sources)
           }.merge!(options)
           if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
           content_tag("script", "", tag_options)
         }.join("\n").html_safe
@@ -229,6 +231,8 @@ def stylesheet_link_tag(*sources)
           }.merge!(options)
           if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?

actionview/lib/action_view/helpers/javascript_helper.rb

@@ -85,6 +85,8 @@ def javascript_tag(content_or_options_with_block = nil, html_options = {}, &bloc
 
         if html_options[:nonce] == true || (!html_options.key?(:nonce) && auto_include_nonce)
           html_options[:nonce] = content_security_policy_nonce
+        elsif html_options[:nonce] == false
+          html_options.delete(:nonce)
         end
 
         content_tag("script", javascript_cdata_section(content), html_options)

actionview/test/template/asset_tag_helper_test.rb

@@ -564,6 +564,10 @@ def test_javascript_include_tag_nonce_with_auto_nonce
     end
   end
 
+  def test_javascript_include_tag_nonce_false
+    assert_dom_equal %(<script src="/javascripts/bank.js"></script>), javascript_include_tag("bank", nonce: false)
+  end
+
   def test_stylesheet_path
     StylePathToTag.each { |method, tag| assert_dom_equal(tag, eval(method)) }
   end
@@ -594,6 +598,10 @@ def test_stylesheet_link_tag_nonce_with_auto_nonce
     end
   end
 
+  def test_stylesheet_link_tag_nonce_false
+    assert_dom_equal %(<link rel="stylesheet" href="/stylesheets/foo.css"></link>), stylesheet_link_tag("foo.css", nonce: false)
+  end
+
   def test_stylesheet_link_tag_with_missing_source
     assert_nothing_raised {
       stylesheet_link_tag("missing_security_guard")

actionview/test/template/javascript_helper_test.rb

@@ -87,4 +87,16 @@ def test_javascript_tag_with_auto_nonce_for_content_security_policy
     assert_dom_equal "<script nonce=\"iyhD0Yc0W+c=\">\n//<![CDATA[\nalert('hello')\n//]]>\n</script>",
       javascript_tag("alert('hello')")
   end
+
+  def test_javascript_tag_nonce_true
+    instance_eval { def content_security_policy_nonce = "iyhD0Yc0W+c=" }
+    assert_dom_equal "<script nonce=\"iyhD0Yc0W+c=\">\n//<![CDATA[\nalert('hello')\n//]]>\n</script>",
+      javascript_tag("alert('hello')", nonce: true)
+  end
+
+  def test_javascript_tag_nonce_false
+    instance_eval { def content_security_policy_nonce = "iyhD0Yc0W+c=" }
+    assert_dom_equal "<script>\n//<![CDATA[\nalert('hello')\n//]]>\n</script>",
+      javascript_tag("alert('hello')", nonce: false)
+  end
 end